---
features:
  - >
    [`blueprint password-expires-validation <https://blueprints.launchpad.net/keystone/+spec/password-expires-validation>`_]
    Token responses will now have a ``password_expires_at`` field in the
    ``user`` object, this can be expressed briefly as::

      {"token": {"user": {"password_expires_at": null}}}

    If PCI support is enabled, via the ``[security_compliance]`` configuration
    options, then the ``password_expires_at`` field will be populated with a
    timestamp. Otherwise, it will default to ``null``, indicating the password
    does not expire.